The fact that for BEAST, CRIME and LT there is not a fully implemented and *public* PoC, doesn't mean that those attack were/are not critical.
They were very critical when they came out, and involved more trickery than Heartbleed to work. I guess you can find full PoC implementations if you search hard ;-) Cheers antisnatchor Ron Bowes wrote: > Are there actually any real-world attack scenarios for BEAST, CRIME, or > Lucky-thirteen? > > Heartbleed has been used in actual legitimate attacks, but those earlier > attacks all seem pretty tame in comparison. Worth fixing, of course, but > they don't seem *as* critical to me. > > Ron > > > On Wed, Apr 16, 2014 at 3:10 AM, Shawn <cit...@gmail.com> wrote: > >> After an exciting and crazy week. People are getting calm and plan or >> already start to doing audit on their system. But there are something >> you might miss. The older version of OpenSSL( like 0.9.8) might not >> affected by heartbleed issue but it doesn't mean you are secure. Don't >> forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME( >> 2012), Lucky-thirteen( 2013)[1]. I do believe Lucky-thirteen is far >> more dangerous than heartbleed, we just don't know. Once you start the >> audit, plz upgrade the OpenSSL to the latest version. If you are using >> 0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13 >> issue. >> >> Fix heartbleed issue for website is much easier than the networking >> devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party >> software. This definitely gonna impacting for long term. >> >> >> [1] http://www.isg.rhul.ac.uk/tls/ >> >> -- >> GNU powered it... >> GPL protect it... >> God blessing it... >> >> regards >> Shawn >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
